Age | Commit message (Collapse) | Author |
|
|
|
Conflicts:
lib/crypto/c_src/crypto.c
lib/ssl/src/ssl_cipher.erl
|
|
|
|
Renamed the init function as the return semantics are changed.
|
|
|
|
* RoadRunnr/crypto/no-rc4/PR-1169/OTP-13896:
disable RC4 in SSL when crypto doesn't support it
Fix compilation when OpenSSL doesn't support RC4
Conflicts:
lib/crypto/c_src/crypto.c
|
|
* legoscia/crypto/no-rc2/PR-1163/OTP-13895:
Fix compilation when OpenSSL doesn't support RC2
|
|
That should be <warning>, not <warn>.
|
|
For consistency with other applications.
|
|
|
|
In one of the test cases, the IV is 8 bytes. In FIPS mode, the minimum
allowed IV length is 12 bytes, so let's skip that test case.
|
|
block_crypt_nif does some sanity tests on its arguments before trying
to initialise the cipher. This made some of the tests in crypto_SUITE
fail, since they were expecting notsup, not badarg. Fix this by
passing the same test data as for the positive tests.
|
|
Adapted from commit 675ee6860d2c273bcc6c6a0536634a107e2a3d9f.
|
|
Even if Erlang/OTP has been built with --enable-fips, it's possible
that the OpenSSL library we're linked to doesn't support FIPS mode.
In that case, it will fail to enable it at run time. Let's handle
that in crypto_SUITE, by skipping the tests instead of failing.
|
|
Every algorithm is now tested in both FIPS and non-FIPS modes (when
crypto is compiled with FIPS support). In FIPS mode non-FIPS
algorithms are disabled and the tests verify that they crash with
notsup error as expected.
In FIPS mode RSA and EC algorithms don't work if the key sizes are
below a minimum required value - which happened to be the case with
most keys used in the tests. These tests were changed to use longer
keys (even in non-FIPS mode for simplicity).
Conflicts:
lib/crypto/test/crypto_SUITE.erl
|
|
FIPS mode support needs to be enabled at compile time, by configuring
Erlang/OTP with --enable-fips option. In FIPS mode the non-FIPS
algorithms are disabled and raise error notsup.
The supported protocols list is properly updated in FIPS mode to
advertise only the enabled protocols.
FIPS mode is off by default even if Erlang/OTP was built with FIPS
support. It needs to be turned on at runtime.
The official approach is to set the fips_mode application environment
parameter of the crypto application to true. This would turn FIPS mode
on when the NIF is loaded and would prevent loading the module on
error.
Another method is provided via the crypto:enable_fips_mode/1
function, but it is not recommended to be used in production, as it
won't prevent the use of the crypto module in case of an error, and
would risk OpenSSL crashing the emulator. It is very useful for test
suites however that need to check both validated and non-validated
functionality.
This commit is based on commit
00b3a04d17a653b4abddeebd6dd8a2c38df532d0.
|
|
Make all calls to erlang:error/2 specify the actual argument list of
the function. This ensures that the stacktrace contains the correct
arity of the function where the error occurred.
|
|
* sverker/include-erl_nif/PR-1171:
Use more correct delimiters for erl_nif.h include
|
|
When OpenSSL has been configured with the "no-rc4" option, the header
file rc4.h doesn't exist, and neither does the rc4 functions.
Let's handle those by checking whether OPENSSL_NO_RC4 is defined.
|
|
=== OTP-19.1 ===
Changed Applications:
- asn1-4.0.4
- common_test-1.12.3
- compiler-7.0.2
- crypto-3.7.1
- debugger-4.2.1
- dialyzer-3.0.2
- diameter-1.12.1
- edoc-0.8
- erl_docgen-0.6
- erl_interface-3.9.1
- erts-8.1
- eunit-2.3.1
- gs-1.6.2
- hipe-3.15.2
- ic-4.4.2
- inets-6.3.3
- jinterface-1.7.1
- kernel-5.1
- mnesia-4.14.1
- observer-2.2.2
- odbc-2.11.3
- parsetools-2.1.3
- reltool-0.7.2
- runtime_tools-1.10.1
- sasl-3.0.1
- snmp-5.2.4
- ssh-4.3.2
- ssl-8.0.2
- stdlib-3.1
- syntax_tools-2.1
- tools-2.8.6
- wx-1.7.1
- xmerl-1.3.12
Unchanged Applications:
- cosEvent-2.2.1
- cosEventDomain-1.2.1
- cosFileTransfer-1.2.1
- cosNotification-1.2.2
- cosProperty-1.2.1
- cosTime-1.2.2
- cosTransactions-1.3.2
- eldap-1.2.2
- et-1.6
- megaco-3.18.1
- orber-3.8.2
- os_mon-2.4.1
- otp_mibs-1.1.1
- percept-0.9
- public_key-1.2
- typer-0.9.11
Conflicts:
OTP_VERSION
lib/gs/doc/src/notes.xml
lib/gs/vsn.mk
|
|
|
|
Anywhere but the beam sources we shouldn't #include "erl_nif.h", because
what "erl_nif.h" does is: (1) fail to find it outside of -I dirs, (2)
then treat it as if it was written like <erl_nif.h>. Using <erl_nif.h>
skips (1).
More information can be found in 6.10.2 of the C standard.
Because the examples use "erl_nif.h", NIF projects in the Erlang
ecosystem copy this verbatim and make the same mistake.
|
|
When OpenSSL has been configured with the "no-rc2" option, the header
file rc2.h doesn't exist, and neither does the function EVP_rc2_cbc.
Let's handle those by checking whether OPENSSL_NO_RC2 is defined.
Also update pbe_SUITE, which uses RC2-CBC in one of the tests.
|
|
|
|
|
|
|
|
maint
* michaesc/crypto/honour-OPENSSL_NO_DES/ERL-203/OTP-13783:
Add '_cfb' alias for misspelled '_cbf' cipher
Fix badarg -> notsup and test cases
Honour OPENSSL_NO_DES
Conflicts:
lib/crypto/c_src/crypto.c
|
|
|
|
Also correct algo_cipher[] size since it was one to small.
|
|
Patch suggestion by Michae in ERL-203 at bugs.erlang.org.
|
|
* maint:
doc: Correct errors introduced by Editorial changes
|
|
Fix some older errors as well.
|
|
* gotthardp/crypto/add-cmac/ERL-82/PR-1138/OTP-13779:
Skip the cmac test cases on older OpenSSL
Added a reference to cmac RFC in the description part of the man page
Fix building crypto/cmac_nif on 64-bit machines.
crypto:cmac calculating the Cipher-based Message Authentication Code
|
|
|
|
|
|
|
|
|
|
The ERL-82 issue requests a way to calculate a CMAC in Erlang. The
AES128 CMAC is standartized in RFC 4493 and used e.g. for message
authentication in the LoRaWAN networks.
The CMAC is implemented by OpenSSL since v1.0.1, but as @IngelaAndin
stated in response to the ERL-82, the current crypto implementation
does not include functions that call those OpenSSL cryptolib functions.
This commit introduces a new function `crypto:cmac` that calls
the corresponding OpenSSL functions and calculates the CMAC.
Only the cmac_nif is implemented. The incremental functions (init,
update, final) are not provided because the current OpenSSL does
not allow custom memory allocators like `enif_alloc_resource`.
The Erlang user guide states that at least OpenSSL 0.9.8 is required,
so I added few #ifdefs so the code is compatible with all versions.
However, the OpenSSL pages say that the pre-1.0.1 versions (0.9.8 and
1.0.0) are no longer maintained. Even the 1.0.1 will be retired by
Dec 2016. Hence I believe that adding a 1.0.1-only function like CMAC
should be OK.
|
|
|
|
This reverts commit e020f75c10410a6943cd055bfa072a2641eab7da.
|
|
|
|
to make it easier to read and construct version checks.
|
|
Same fix as was done for EVP in f4f588683dce36c447017.
|
|
|
|
This reverts commit bd64ad8e15d66e48b36dbe3584315dd5cfc8b59a.
|
|
|
|
OpenSSL has deprecated the function RAND_pseudo_bytes used by
crypto:rand_bytes/1, so this function is now deprecated in OTP too.
rand_bytes/3 also used this function, but was not documented
so we can remove it right away.
This commit also removes the fallback in generate_key to use
rand_bytes/1 if strong_rand_bytes/1 throws low entropy.
This is a potential incompatibility but we think it is desirable
as crypto should provide cryptographically secure functions.
|
|
|
|
* henrik/update-copyrightyear:
update copyright-year
|
|
|